This chapter describes how to integrate Kaspersky CyberTrace with Splunk.
About the integration schemes
Kaspersky CyberTrace can be integrated with Splunk in two integration schemes:
In the single-instance integration scheme, Feed Service and the Splunk instance are configured to work on the same computer or on different computers.
For more information about the single-instance integration scheme, see section "About the single-instance integration scheme".
In the distributed integration scheme, you install Feed Service, Search Head App, and Forwarder App in your distributed Splunk environment and configure the service and the apps to interact with each other.
For more information about the distributed integration scheme, see section "About the distributed integration scheme".
How to integrate Kaspersky CyberTrace with Splunk in the single-instance integration mode
To integrate Kaspersky CyberTrace with Splunk in the single-instance integration mode:
In the single-instance integration scheme, Kaspersky CyberTrace and the Splunk instance are installed on the same computer or on different computers. By default, Kaspersky CyberTrace App for Splunk is configured to be installed on the same computer with Kaspersky CyberTrace. However, we recommend that you install Kaspersky CyberTrace on a separate computer; in this case, Feed Service must be configured during the installation, and Kaspersky CyberTrace App for Splunk must be configured in step 2 (below).
This step is optional. If you skip this step, Kaspersky CyberTrace App for Splunk will use the default configuration. Email alerts will not be sent in this case.
By default, Kaspersky CyberTrace App for Splunk uses port 9999
to send events to Feed Service and port 9998
to receive events from Feed Service. If these ports are used by another application, you must configure either Kaspersky CyberTrace App for Splunk or this application to use different ports.
This step is optional. If you skip this step, the lookup script will use the default configuration.
Please make sure you perform the verification test before editing any filtering rules in the Feed Utility configuration file.
How to integrate with Splunk in the distributed integration mode
To integrate Kaspersky CyberTrace with Splunk in the distributed integration mode:
In the distributed deployment scheme, you can install Kaspersky CyberTrace on one of the computers that has Forwarder or Indexer already installed, or on a separate computer.
In the distributed deployment scheme, you must configure Feed Service during the installation to receive events from other Splunk entities such as heavy forwarders and indexers, and send its own events to the indexer that stores the index used by Kaspersky CyberTrace App for Splunk.
This step is optional. If you skip this step, the lookup script will use the default configuration.
Please make sure you perform the verification test before editing any filtering rules in the Feed Utility configuration file.